def nl2br(value): """nl2br(value : any) -> htmltext Insert <br /> tags before newline characters. """ text = htmlescape(value) return htmltext(text.s.replace('\n', '<br />\n'))
def htmltag(tag, xml_end=False, css_class=None, **attrs): """Create a HTML tag.""" r = ["<%s" % tag] if css_class is not None: attrs['class'] = css_class for (attr, val) in attrs.items(): if val is ValuelessAttr: val = attr if val is not None: r.append(' %s="%s"' % (attr, stringify(htmlescape(val)))) if xml_end: r.append(" />") else: r.append(">") return htmltext("".join(r))
def htmltag(tag, xml_end=False, css_class=None, **attrs): """Create a HTML tag. """ r = ["<%s" % tag] if css_class is not None: attrs['class'] = css_class for (attr, val) in attrs.items(): if val is ValuelessAttr: val = attr if val is not None: r.append(' %s="%s"' % (attr, htmlescape(val))) if xml_end: r.append(" />") else: r.append(">") return htmltext("".join(r))
def _q_format(value, conversion=-1, format_spec=None): # Used by f-strings to format the {..} parts if conversion == -1 and format_spec is None: return htmlescape(value) # simple and fast case if conversion == -1: fmt = '{%s}' else: conversion = chr(conversion) if conversion == 'r': fmt = '{%s!r}' elif conversion == 's': fmt = '{%s!s}' elif conversion == 'a': fmt = '{%s!a}' else: assert 0, 'invalid conversion %r' % conversion arg = _wraparg(value) if format_spec: fmt = fmt % (':' + str(format_spec)) else: fmt = fmt % '' return htmltext(fmt.format(arg))
def href(url, text, title=None, **attrs): return (htmltag("a", href=url, title=title, **attrs) + htmlescape(text) + htmltext("</a>"))
"""Various functions for dealing with HTML. These functions are fairly simple but it is critical that they be used correctly. Many security problems are caused by escaping errors (cross site scripting is one example). The HTML and XML standards on www.w3c.org and www.xml.com should be studied, especially the sections on character sets, entities, attribute and values. htmltext and htmlescape ----------------------- This type and function are meant to be used with [html] PTL template type. The htmltext type designates data that does not need to be escaped and the htmlescape() function calls str() on the argment, escapes the resulting string and returns a htmltext instance. htmlescape() does nothing to htmltext instances. url_quote --------- Use for quoting data to be included as part of a URL, for example: input = "foo bar" ... '<a href="/search?keyword=%s">' % url_quote(input) Note that URLs are usually used as attribute values and might need to have HTML special characters escaped. As an example of incorrect usage: url = 'http://example.com/?a=1©=0' # INCORRECT